$11.5M Vanished from BitoPro Hot Wallets. Here’s Why It Took Weeks to Surface

Taiwan’s BitoPro just confirmed a multi-chain security breach that drained over $11.5 million in digital assets across Ethereum, Solana, Tron, and Polygon. But the real twist? The hack happened on May 8. BitoPro didn’t say a word publicly for over three weeks.

That silence is now drawing heat from analysts, users, and on-chain sleuths — and raising new questions about how centralized exchanges handle exploits.

The First Warning Didn’t Come from BitoPro

It came from ZachXBT, the go-to on-chain investigator.

• On June 2, ZachXBT published a detailed breakdown showing suspicious outflows from BitoPro hot wallets.
• Tokens were sold across DEXs and moved through Tornado Cash and THORChain, textbook obfuscation playbooks.
• BitoPro still hadn’t disclosed anything on X or Telegram, according to ZachXBT.

ZachXBT's post on X exposed the exploit publicly, not BitoPro.

So What Did BitoPro Do After the Hack?

On May 9, one day after the breach, BitoPro announced a brief maintenance window. It said nothing about a security incident. Withdrawals appeared operational, but some users reported problems accessing funds, especially USDt.

Not until June 2 did the exchange finally admit the breach. Their official Telegram post framed it as a wallet migration gone wrong, blaming an “old hot wallet” exposed during fund reallocation.

They Say Everything’s Fine. Is It?

According to BitoPro:

• The exchange holds “sufficient reserves”
• Withdrawals remain “completely unaffected”
• A third-party firm is tracking the stolen funds
• A new wallet address will be disclosed for transparency

But the silence gap and the decision not to notify users, has already done damage to trust.

Why This Matters Beyond BitoPro

Exchanges still run on trust. Hacks are inevitable, but communication delays are not. In a post-FTX world, a 3-week blackout isn’t just questionable, it’s bad business.

Also:

• The exploit hit multiple chains such as ETH, TRON, SOL, Polygon, not just one vulnerability
• The funds were rapidly off-ramped via Tornado Cash and bridging tools
• This mirrors recent DeFi attacks, like Cetus ($220M) and Nervos ($3M)

Blockchain security firm Hacken told Cointelegraph this breach likely stemmed from access control failures, now one of Web3’s biggest systemic threats.

Don’t Wait for the Next Silent Exploit

BitoPro’s delay shows how long it takes some exchanges to come clean. If you trade or hold serious capital on-chain, use tools that show wallet movements in real-time. BananaGun gives you sniper-grade visibility across chains — before announcements drop.

TL;DR

• BitoPro lost $11.5M in a May 8 exploit, confirmed weeks later
• Users weren’t notified during the breach window
• Funds were routed through DEXs, mixers, and bridges
• ZachXBT revealed the breach before BitoPro did
• Exchange says withdrawals and reserves are unaffected

This wasn’t just a hack. It was a silence strategy. If you’re parking assets on CEXs without real-time alerts, consider tracking wallet flows with tools like BananaGun or Glassnode. Because in 2025, waiting for an exchange to admit the breach is already too late.

‍